#91 – DOES ISO 9001:2015 REQUIRE RISK MANAGEMENT? – GREG HUTCHINS

Posted on by

Greg Hutchins pixDoes ISO 9001: 2015 require risk management?

No.

ISO says all that is needed to demonstrate ISO 9001:2015 compliance is a risk assessment?

But does ISO 9001:2015 imply risk management?

Yes, based on a careful read by our team of forensic risk engineers.  See if the following makes sense:.

THE CONFUSION
There is still confusion on this topic of risk assessment and risk management.  ISO 9001:2015 has specific risk requirements to ensure QMS objectives can be achieved.  ISO 9001 does not a risk management system.  This is where the confusion occurs.

ISO 9001:2015 implies risk management through its language of controls and objectives.  What do we mean?  ISO 9001:2015 states that risks are assessed.  OK.  But if there are critical risks, would you expect these risks to be mitigated or managed.  Yes!  The mitigation or treatment of risk is the same as the management of risk.  So in other words, ISO 9001:2015 implies risk management.

ISO 9001:2015 again does not specifically address ‘risk management’ and uses the expression ‘address risks.’  However in a footnote, various options for addressing risks are identified, such as risk avoidance, risk mitigation, and risk acceptance, which are  elements of a formal risk management process.

Is this an ISO mistake or not fully understanding the unintended consequences of the new standard.

We don’t know!

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

 

Leave a Reply

Your email address will not be published. Required fields are marked *